CVE-2010-4221

ProFTPD - Stack-Based Buffer Overflow via TELNET IAC Escape Character

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2010-4221. PoCs published by Metasploit, kingcope, M41doror, including Metasploit module exploits/linux/ftp/proftp_telnet_iac.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack-based buffer overflow in ProFTPD (CVE-2010-4221) via Telnet IAC commands, achieving remote code execution on Linux systems. It includes ROP chains for specific distributions like Debian Squeeze and Ubuntu 10.04.

Description

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16851

This is a Metasploit module exploiting a stack-based buffer overflow in ProFTPD (CVE-2010-4221) via Telnet IAC commands, achieving remote code execution on Linux systems. It includes ROP chains for specific distributions like Debian Squeeze and Ubuntu 10.04.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: ProFTPD 1.3.2rc3 - 1.3.3b
No auth needed
Prerequisites: Network access to vulnerable ProFTPD server · Target system running a vulnerable version of ProFTPD
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16878

This Metasploit module exploits a stack-based buffer overflow in ProFTPD (CVE-2010-4221) by sending a large number of Telnet IAC commands to corrupt memory and execute arbitrary code. It includes automatic targeting via banner fingerprinting and brute-forcing for specific FreeBSD versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.2rc3 - 1.3.3b (FreeBSD)
No auth needed
Prerequisites: Network access to ProFTPD server on port 21 · Vulnerable ProFTPD version (1.3.2rc3 - 1.3.3b)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by kingcope · perlremotelinux
https://www.exploit-db.com/exploits/15449

This exploit targets a buffer overflow vulnerability in ProFTPD (CVE-2010-4221) to achieve remote code execution. It includes shellcode for both FreeBSD and Linux systems, leveraging stack smashing or return-into-libc techniques depending on the target platform.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.2a/e/c, 1.3.3a
No auth needed
Prerequisites: Network access to ProFTPD server · Target platform and version matching one of the predefined configurations
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by M41doror · poc
https://github.com/M41doror/cve-2010-4221

This repository contains a functional exploit for CVE-2010-4221, targeting ProFTPD's Telnet IAC vulnerability. The exploit uses Return-Oriented Programming (ROP) to bypass ASLR and includes multiple attack types (socket reuse, reverse shell, bind shell, and custom shellcode).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: ProFTPD (versions affected by CVE-2010-4221)
No auth needed
Prerequisites: Network access to vulnerable ProFTPD server · ProFTPD server with Telnet IAC enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Mafiosohack · poc
https://github.com/Mafiosohack/Offensive-lab-2

This repository contains a detailed technical writeup of the exploitation process for CVE-2010-4221, a backdoor in ProFTPD 1.3.3c. It includes enumeration steps, exploitation using Metasploit, and post-exploitation actions.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ProFTPD 1.3.3c
No auth needed
Prerequisites: Network access to the target · ProFTPD 1.3.3c running on the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ftp/proftp_telnet_iac.rb

This Metasploit module exploits a stack-based buffer overflow in ProFTPD (CVE-2010-4221) by sending excessive Telnet IAC commands to achieve remote code execution. It includes ROP chains for specific Linux distributions (Debian, Ubuntu) to bypass stack protections.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: ProFTPD 1.3.2rc3 - 1.3.3b
No auth needed
Prerequisites: Network access to vulnerable ProFTPD server · Target running a vulnerable Linux distribution
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb

This Metasploit module exploits a stack-based buffer overflow in ProFTPD versions 1.3.2rc3 to 1.3.3b by sending a large number of Telnet IAC commands to corrupt memory and execute arbitrary code. It includes automatic targeting via banner fingerprinting and brute-forcing for specific FreeBSD environments.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.2rc3 - 1.3.3b
No auth needed
Prerequisites: Network access to the target FTP server · ProFTPD version within the vulnerable range
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Various Sources x_refsource_confirm
http://www.proftpd.org/docs/NEWS-1.3.3c
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050687.html
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-10-229/
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42217
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050703.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050726.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2941
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2962
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42052
Exploit x_refsource_confirm
http://bugs.proftpd.org/show_bug.cgi?id=3521
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:227
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/44562
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2959

Scores

EPSS 0.9205
EPSS Percentile 99.7%

Details

CWE
CWE-119
Status published
Products (2)
proftpd/proftpd 1.3.2 (8 CPE variants)
proftpd/proftpd 1.3.3 (7 CPE variants)
Published Nov 09, 2010
Tracked Since Feb 18, 2026